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Patent 



Amendments to the Claims 



1 (Previously amended): A system for authenticating a subject residing in a subject domain on a 
network to a server application residing in a server domain on the network, wherein an 
authentication mechanism residing in an authentication domain on the network affects the 
service provided by the server application, the system comprising: 

^a client for communicating with other components of the system and for authenticating 
the subject to other components of the system by providing client credentials on 
behalf of the subject, wherein said client also resides in the subject domain; and 

a protocol proxy for communicating between said client and the authentication 

mechanism and for authenticating said client based on said client credentials, for 
obtaining from the authentication mechanism temporary credentials for said client 
to access the server application, and for creating from said temporary credentials 
an authentication name assertion allowing said client to access the server 
application. 

2 (Original): The system of claim 1, wherein; 

the subject is non-human and said client is integrated into the subject; and 
said client gathers subject credentials for the subject and communicates said subject 
credentials to said protocol proxy. 

3 (Original): The system of claim 1, wherein a plurality of the authentication mechanisms are 
present on the network, and the system further comprising: 

an agent for communicating with other components of the system and for interacting with 
said client to chose an appropriate authentication mechanism from among said 
plurality of the authentication mechanisms, wherein said agent resides in an agent 
domain on the network. 

4 (Original): The system of claim 3, wherein said client interacts with said protocol proxy to 
determine a specification of the authentication mechanism and said client communicates said 
specification to said agent. 
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Amendments to the Claims 



5 (Original): The system of claim 3, wherein said client includes a callback mechanism for 



said plurality of the authentication mechanisms. 

6 (Original): The system of claim 5, wherein said callback mechanism interacts with the subject 
to detennine said appropriate authentication mechanism. 

7 (Original): The system of claim 5, wherein said callback mechanism accesses a configuration 
repository to determine said appropriate authentication mechanism. 

8 (Original); The system of claim 3, wherein said agent includes a mechanism resolver for 
determining from said plurality of the authentication mechanisms a subset of zero or more of the 
authentication mechanisms which affects the service provided by the server application. 

9 (Original): The system of claim 8, wherein said agent further includes an authentication agent 
for brokering between said client and said mechanism resolver. 

10 (Original): The system of claim 8, wherein said agent further includes a mechanism 
repository for storing information about said plurality of the authentication mechanisms and said 
mechanism resolver queries said mechanism repository when determining said subset of zero or 
more of the authentication mechanisms which affects the service provided by the server 
ajjplication. 

1 1 (Original): The system of claim 10, wherein said agent further includes a mechanism 
registrator for the authentication mechanism to register in said mechanism repository by adding 
information about itself. 

12 (Original): The system of claim 1 1, wherein said mechanism registrator is further for the 
authentication mechanism to update itself in said mechanism repository by changing information 
about itself. 
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13 (Original): The system of claim 4, wherein said protocol proxy resides in said agent domain 
on the network. 

14 (Original): The system of claim 1 , wherein said protocol proxy resides in the authentication 
domain on the network. 

15 (Original): The system of claim 1, wherein said protocol proxy uses a standard security 
protocol to communicate with said client and a mechanism-specific protocol to communicate 
with the authentication mechanism, 

16 (Previously amended): The system of claim 1 , wherein at least one of said client and said 
protocol proxy authenticates using SRP protocol. 

17 (Previously amended): The system of claim 1 , wherein said protocol proxy produces a signed 
name assertion. 

1 8 (Currently amended): The system of claim 4-8-1 7, wherein said signed name assertion is 
contained in a S2ML document. 

19 (Currently amended): The system of claim 18-17. wherein said protocol proxy further 
produces a signed name entitlement. 

20 (Previously amended): The system of claim 1, wherein said protocol proxy uses a proxy 
name assertion to authenticate itself to the client. 

21 (Previously amended): The system of claim 1, further comprising an adapter for receiving 
said authentication name assertion, recreating said credentials, and permitting said client to 
access the server application based on said credentials. 
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22 (Previously amended); A method for authenticating a subject residing in a subject domain on 
a network to a server application residing in a server domain on the network, wherein an 
authentication mechanism residing in an authentication domain on the network affects the 
service provided by the server ^plication, the method comprising the steps: 

(a) authenticating the subject to a protocol proxy with a client by providing subject 

credentials on behalf of the subject; 

(b) obtaining a name assertion from said protocol proxy via the authentication mechanism 

which will allow said client to access the server application, thereby mediating 
between said protocol proxy and the authentication mechanism to permit the 
subject to access the server application via said client; 

(c) creating an authentication name assertion with said protocol proxy based on said 

subject credentials which will allow said client to access the server application; 

(d) conmiimicating said authentication name assertion to said client; and 

(e) commimicating said authentication name assertion to the server application. 

23 (Previously amended): The method of claim 22, wherein the subject is non-human and said 
client is integrated into the subject, and the method further comprising: 

gathering said subject credentials with said client for the subject; and 
conmnmicating said subject credentials to said protocol proxy. 

24 (Previously amended): The method of claim 23, wherein a plurality of the authentication 
mechanisms are present on the network, and the method flulher comprising: 

interacting between said client and an agent to chose an appropriate authentication 

mechanism from among said plurality of the authentication mechanisms, wherein 
said agent resides in an agent domain on the network. 

25 (Previously amended): The method of claim 24, further comprising: 

interacting between said client and said protocol proxy to determine a specification of the 

authentication mechanism; and 
communicating said specification with said client to said agent. 
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26 (Previously amended): The method of claim 24, further comprising determining an 
appropriate authentication mechanism for accessing the server application from among said 
plurality of the authentication mechanisms. 

27 (Previously amended): The method of claim 26, further comprising interacting with the 
subject to determine said appropriate authentication mechanism. 

28 (Previously amended): The method of claim 26, further comprising accessing a configuration 
repository to determine said appropriate authentication mechanism. 

29 (Previously amended): The method of claim 26, further comprising: 

(f) resolving from said plurality of the authentication mechanisms a subset of zero or 

more of the authentication mechanisms which affects the service provided by the 
server application. 

30 (Previously amended): The method of claim 29, wherein said agent further includes an 
authentication agent, and the method further comprising: 

brokering between and authentication agent and said client in said step (f). 

31 (Previously amended); The method of claim 29, wherein said agent domain further includes a 
mechanism repository, and the method further comprising: 

storing information about said plurality of the authentication mechanisms in said 

mechanism repository; and 
querying said mechanism repository in said step (f). 

32 (Previously amended): The method of claim 31, further comprising registering the 
authentication mechanism in said mechanism repository by adding infonnation about the 
authentication mechanism. 
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33 (Previously amended): The method of claim 24, wherein said protocol proxy resides in said 
agent domain on the network. 

34 (Previously amended): The method of claim 22, wherein said protocol proxy resides in the 
authentication domain on the network. 

35 (Previously amended): The method of claim 22, wherein said protocol proxy uses a standard 
security protocol to communicate with said client and a mechanism-specific protocol to 
communicate with the authentication mechanism. 

36 (Previously amended): The method of claim 22, wherein at least one of said client and said 
protocol proxy authenticates using SRP protocol. 

37 (Previously amended): The method of claim 22, wherein said protocol proxy produces a 
signed name assertion. 

38 (Previously amended): The method of claim 37, wherein said signed name assertion is 
contained in a S2ML document. 

39 (Previously amended): The method of claim 37, wherein said protocol proxy further 
produces a signed name entitlement. 

40 (Previously amended): The method of claim 22, wherein said protocol proxy uses a proxy 
name assertion to authenticate itself to the client. 

41 (Previously amended): The method of claim 22, further comprising an adapter, and the 
method further comprising: 

receiving said authentication name assertion with said adapter; 
recreating said credentials with said adapter; and 

permitting said client to access the server application based on said credentials. 

W:\SDM-6040S\30030I\PAT PTO lir (ROAK).doc 



Page 7 of 11 



PACE 8/12 • RCVD AT 2/10/2004 5:18:34 PM [Eastern Standard Time] * SVR:USPTO^FXRF-2/24 * DNIS:8729306 • CSID:1 408 558 9960 * DURATION (mm-ss):04.50 



